analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.zip

Full analysis: https://app.any.run/tasks/1e366cad-e46d-426e-8874-04accb9d197e
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: May 24, 2019, 18:13:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
rat
remcos
ransomware
gandcrab
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

67CC2564524A4B6EB0E795E3396C5620

SHA1:

31AE2BA8206FFD5CD6B14F6BCD925ED5F455AAEF

SHA256:

FB37B866F3491A269EC5EA07D23D9F7BE2E5C7D5282ECA8B6C7F75A835E63A1C

SSDEEP:

24576:PkF3st3spqsulWWX5euBGEfcqR0YR0LuLRyOWqc3n8owEd:PkydspqzlL4CUq3yONBowe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • m™¥°ö¾¯h—ó.exe (PID: 3324)
      • Crypter.exe (PID: 3820)
      • Crypter.exe (PID: 3488)
      • FirefoxCrashReporters.exe (PID: 2852)
      • FirefoxCrashReporter.exe (PID: 2072)
      • FirefoxCrashReporter.exe (PID: 932)
      • FirefoxCrashReporter.exe (PID: 3444)
      • FirefoxCrashReporter.exe (PID: 1964)
      • FirefoxCrashReporter.exe (PID: 3960)
    • Changes the autorun value in the registry

      • FirefoxCrashReporters.exe (PID: 2852)
      • FirefoxCrashReporter.exe (PID: 2072)
    • Changes the login/logoff helper path in the registry

      • FirefoxCrashReporters.exe (PID: 2852)
      • FirefoxCrashReporter.exe (PID: 2072)
    • Saves itself using automatic execution at hidden regitry location

      • FirefoxCrashReporters.exe (PID: 2852)
      • FirefoxCrashReporter.exe (PID: 2072)
    • UAC/LUA settings modification

      • reg.exe (PID: 3680)
      • reg.exe (PID: 3720)
    • Uses SVCHOST.EXE for hidden code execution

      • FirefoxCrashReporter.exe (PID: 2072)
    • REMCOS RAT was detected

      • FirefoxCrashReporter.exe (PID: 2072)
    • Detected logs from REMCOS RAT

      • FirefoxCrashReporter.exe (PID: 2072)
    • Writes file to Word startup folder

      • FirefoxCrashReporter.exe (PID: 932)
    • Actions looks like stealing of personal data

      • FirefoxCrashReporter.exe (PID: 932)
      • FirefoxCrashReporter.exe (PID: 3960)
      • FirefoxCrashReporter.exe (PID: 3444)
    • Renames files like Ransomware

      • FirefoxCrashReporter.exe (PID: 932)
    • Dropped file may contain instructions of ransomware

      • FirefoxCrashReporter.exe (PID: 932)
    • Runs injected code in another process

      • FirefoxCrashReporter.exe (PID: 1964)
    • Application was injected by another process

      • lsass.exe (PID: 496)
    • Changes settings of System certificates

      • FirefoxCrashReporter.exe (PID: 932)
    • Deletes shadow copies

      • cmd.exe (PID: 2644)
    • GANDCRAB detected

      • FirefoxCrashReporter.exe (PID: 932)
    • Connects to CnC server

      • FirefoxCrashReporter.exe (PID: 932)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2944)
      • Crypter.exe (PID: 3820)
      • FirefoxCrashReporters.exe (PID: 2852)
    • Starts CMD.EXE for commands execution

      • FirefoxCrashReporters.exe (PID: 2852)
      • WScript.exe (PID: 3752)
      • FirefoxCrashReporter.exe (PID: 2072)
      • FirefoxCrashReporter.exe (PID: 932)
    • Writes files like Keylogger logs

      • Crypter.exe (PID: 3820)
      • FirefoxCrashReporters.exe (PID: 2852)
      • FirefoxCrashReporter.exe (PID: 2072)
    • Creates files in the Windows directory

      • FirefoxCrashReporters.exe (PID: 2852)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3712)
      • cmd.exe (PID: 2560)
    • Executes scripts

      • FirefoxCrashReporters.exe (PID: 2852)
    • Application launched itself

      • FirefoxCrashReporter.exe (PID: 2072)
    • Creates files in the user directory

      • FirefoxCrashReporter.exe (PID: 2072)
      • lsass.exe (PID: 496)
      • FirefoxCrashReporter.exe (PID: 932)
    • Creates files in the program directory

      • FirefoxCrashReporter.exe (PID: 932)
    • Loads DLL from Mozilla Firefox

      • FirefoxCrashReporter.exe (PID: 1964)
      • FirefoxCrashReporter.exe (PID: 3444)
    • Reads the cookies of Mozilla Firefox

      • FirefoxCrashReporter.exe (PID: 932)
    • Executed as Windows Service

      • vssvc.exe (PID: 2508)
    • Adds / modifies Windows certificates

      • FirefoxCrashReporter.exe (PID: 932)
  • INFO

    • Manual execution by user

      • m™¥°ö¾¯h—ó.exe (PID: 3324)
      • Crypter.exe (PID: 3820)
    • Dropped object may contain Bitcoin addresses

      • FirefoxCrashReporter.exe (PID: 932)
    • Dropped object may contain TOR URL's

      • FirefoxCrashReporter.exe (PID: 932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2019:05:24 20:08:10
ZipCRC: 0x321293cf
ZipCompressedSize: 488681
ZipUncompressedSize: 492684
ZipFileName: Crypter.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
21
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start inject winrar.exe m™¥°ö¾¯h—ó.exe crypter.exe firefoxcrashreporters.exe crypter.exe no specs cmd.exe no specs reg.exe no specs wscript.exe no specs cmd.exe no specs #REMCOS firefoxcrashreporter.exe cmd.exe no specs svchost.exe no specs reg.exe no specs #GANDCRAB firefoxcrashreporter.exe firefoxcrashreporter.exe firefoxcrashreporter.exe no specs firefoxcrashreporter.exe lsass.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3324"C:\Users\admin\Desktop\m™¥°ö¾¯h—ó.exe" C:\Users\admin\Desktop\m™¥°ö¾¯h—ó.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Version:
1.00
3820"C:\Users\admin\Desktop\Crypter.exe" C:\Users\admin\Desktop\Crypter.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2852"C:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exe" C:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exe
Crypter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3488"C:\Users\admin\AppData\Local\Temp\Crypter.exe" C:\Users\admin\AppData\Local\Temp\Crypter.exeCrypter.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
3712/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\cmd.exeFirefoxCrashReporters.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3680C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3752"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\System32\WScript.exeFirefoxCrashReporters.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2000"C:\Windows\System32\cmd.exe" /c "C:\Windows\System32\FirefoxUpdater\FirefoxCrashReporter.exe"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2072C:\Windows\System32\FirefoxUpdater\FirefoxCrashReporter.exeC:\Windows\System32\FirefoxUpdater\FirefoxCrashReporter.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Total events
1 935
Read events
1 312
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
390
Text files
318
Unknown types
13

Dropped files

PID
Process
Filename
Type
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2944.11976\m™¥°ö¾¯h—ó.exe
MD5:
SHA256:
932FirefoxCrashReporter.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
932FirefoxCrashReporter.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
932FirefoxCrashReporter.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.uwofmi
MD5:
SHA256:
932FirefoxCrashReporter.exeC:\MSOCache\UWOFMI-MANUAL.txttext
MD5:24D6E024EF1007123CAE0CE48A9A4DB4
SHA256:38D8718C9F2BF2FE55134815A93FDD696D30C276B9138B6EC6253B06C4A53EF5
2072FirefoxCrashReporter.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:07F05585A406A60B1BCD63F94D9B7156
SHA256:5E2106E3B2B231C5787C386E830F547950172CB2A4C6694DAF2B28227A7C2FFB
932FirefoxCrashReporter.exeC:\PerfLogs\Admin\UWOFMI-MANUAL.txttext
MD5:24D6E024EF1007123CAE0CE48A9A4DB4
SHA256:38D8718C9F2BF2FE55134815A93FDD696D30C276B9138B6EC6253B06C4A53EF5
932FirefoxCrashReporter.exeC:\Recovery\UWOFMI-MANUAL.txttext
MD5:24D6E024EF1007123CAE0CE48A9A4DB4
SHA256:38D8718C9F2BF2FE55134815A93FDD696D30C276B9138B6EC6253B06C4A53EF5
932FirefoxCrashReporter.exeC:\PerfLogs\UWOFMI-MANUAL.txttext
MD5:24D6E024EF1007123CAE0CE48A9A4DB4
SHA256:38D8718C9F2BF2FE55134815A93FDD696D30C276B9138B6EC6253B06C4A53EF5
932FirefoxCrashReporter.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
932
FirefoxCrashReporter.exe
GET
301
185.52.2.154:80
http://www.kakaocorp.link/
NL
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.52.2.154:80
www.kakaocorp.link
RouteLabel V.O.F.
NL
suspicious
185.52.2.154:443
www.kakaocorp.link
RouteLabel V.O.F.
NL
suspicious
2072
FirefoxCrashReporter.exe
79.49.182.223:2404
calcio886.duckdns.org
Telecom Italia
IT
malicious

DNS requests

Domain
IP
Reputation
calcio886.duckdns.org
  • 79.49.182.223
malicious
www.kakaocorp.link
  • 185.52.2.154
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
932
FirefoxCrashReporter.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server
932
FirefoxCrashReporter.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server
2 ETPRO signatures available at the full report
No debug info